Re: Content matching question

[James Lay <jlay () slave-tothe-box net>]

On 2014-01-20 10:58, James Lay wrote:
> Hey all,
>
> So....I'm trying to figure out how to really NOT match certain 
> content,
> but match if the data size is longer then expected.  Example:
>
> I have a packet where the usual data size is say 20 bytes and 
> contains
> the word "bleh".  I know I can content:!"bleh" and away I go.  But 
> say
> that packet is 30 bytes?  That I'd like to see, regardless if it has 
> the
> content "bleh" or not.
>
> What are my options?  Byte_test?  It's not http, so any options with
> that were out.  Thanks for any guidance.
>
> James

Turns out dsize was just what I needed:

dsize:>300

YAY..thanks all.

James


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!